DEVSECOPS

BRIDGING THE DIVIDE BETWEEN DEVELOPMENT, SECURITY, AND OPERATIONS

Bringing together development, operations & security professionals and techniques to develop and deliver capability to the mission, while embracing organizational and cultural change for maximum impact.

FOSTERING THE CULTURAL CHANGE OUR CLIENTS REQUIRE.

Across the Federal Government, organizations are rushing toward DevOps in pursuit of industry best practices and efficiencies across their technology enterprise. Yet, introducing CI/CD and infrastructure automation isn’t enough, and most organizations are left feeling a “been there, done that, no real improvement” outcome.

At Steampunk, we take a different approach to DevSecOps that focuses not only on the latest technology capabilities in the DevSecOps ecosystem, but equally on the human resources, organizational, and culture change required to enable the people, the processes and the technology to get aligned on a common outcome – the mission of their organization.

Some of the areas we focus on in our DevSecOps practice are as follows:

Maturity Assessment and Roadmapping

Continuous Integration and Continuous Delivery (CI/CD)

Continuous Deployment

Test Automation

Integrated Code Quality and Security Scanning

Static and Dynamic App Security Scanning

Infrastructure as Code

Platform as a Service

Integrated Security Governance

Maturity Assessment Roadmap

Every organization requires information technology (IT) to function – and some have IT as their core mission – primarily government CIO organizations. As such, there exists a level of maturity to these organizations in their people, process, and technology. With an understanding of the various facets of the DevSecOps methods and ingredients, one can assess the strengths and weaknesses of the organization across each of those areas. With that baseline understanding, organizations can make well-informed decisions around where the organization should focus it’s short-, mid- and long-term investments and energy.

As the organization progresses along the maturity continuum, we use metrics to measure and expose the positive impacts of change as well as the constraints, which feed into the roadmap and help to determine where the organization should focus its improvement efforts into the future.

Continuous Integration & Delivery

Continuous Integration and Delivery is the technical pipeline that is at the heart of the DevSecOps technical movement. All of the technical practices, processes, and philosophies are enabled through the various components of the CI/CD pipeline. Software development and build automation, infrastructure as code provisioning and configuration management, automated security scanning, automated comprehensive testing and both manual and automated deployment procedures are all instrumented through the CI/CD pipeline.

There are a wide variety of philosophies related to how and why different pipeline architectures and implementations are used. Organizations have to make decisions around which model works best given their policies, practices, goals of the organization, their people and their technical skills, and many other factors. Steampunk can leverage an existing pipeline or can use our reference architectures that are then tailored for the organization based on their unique needs.

Infrastructure Automation

Infrastructure as Code is the way we store all of our scripts, server definitions, and parameter & configuration files. The very means of performing our provisioning and configuration management are stored in a code repository the same way software code files are stored. This provides a plethora of benefits but most notably, repeatability, security accreditation and distribution of the code are drop dead simple.

Through Automated Provisioning and Configuration Management we automate the creation of a computing environment such as a virtual machine or a container, and then automate the configuration and deployment of not only the operating system but any additional software or environments that are required on that machine. In this fashion, system administrators can build out the provisioning and configuration management process and get it right once, such that every subsequent deployment is perfect and can be executed with the click of a button.

Integrated Security

DevSecOps, at its core, is about creating and managing capabilities for an organization to better achieve its mission. Most commonly, this means deploying production software to users with the features and data access to make those users effective in their jobs.

In Federal Government organizations, security of the user access, the data and the system infrastructure involved is paramount to protecting sensitive data and mission operations. The best software engineering skill and the best system administrations abilities are worthless if the code being created has security vulnerabilities, or if the servers that offer the organization’s services are full of holes and can be hacked by adversaries.

We incorporate security procedures from the very beginning in every aspect of our work. This includes bringing the tooling required to ensure code, infrastructure and platforms are secure, as well as the skills and experience of our employees in navigating our clients’ security practices and risk management frameworks to optimize capability throughput. This makes sure that these aspects of solution creation and deployment are proactively considered, which avoids significant delays and reduces risk to mission execution.